diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index 70fbd89..2fbd175 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -55,20 +55,28 @@ in { by * none '' '' - {1}to attrs=loginShell + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to attrs=loginShell by self write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' - {2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" + {3}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' - {3}to * + {4}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by dn="cn=admin,dc=cloonar,dc=com" write by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write @@ -123,7 +131,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -160,7 +176,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -198,7 +222,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -236,7 +268,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -274,7 +314,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -299,7 +347,7 @@ in { (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser' SUP (mailAccount) AUXILIARY DESC 'Cloonar Account' - MAY (sshPublicKey $ ownCloudQuota $ quota)) + MAY (sshPublicKey $ pgpPublicKey $ ownCloudQuota $ quota)) '' ]; }; @@ -374,14 +422,22 @@ in { EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) '' + '' + (1.3.6.1.4.1.24552.500.1.1.1.14 + NAME 'pgpPublicKey' + DESC 'PGP/GPG Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + '' ]; olcObjectClasses = [ '' (1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY - DESC 'MANDATORY: OpenSSH LPK objectclass' - MUST ( sshPublicKey $ uid )) + DESC 'SSH and PGP Public Key Support' + MUST ( uid ) + MAY ( sshPublicKey $ pgpPublicKey )) '' ]; };